1. Technical Field
The invention relates to data encryption. More particularly, the invention relates to cross mapping a graphical interface to show encryption relationships between hosts and storage devices.
2. Description of the Prior Art
The advantages of networked data storage technologies such as Network Attached Storage (NAS) and Storage Area Networks (SAN) are well established, but storing an organization's data on a network creates significant security risks. Technologies, such as NAS and SAN, that aggregate data in a storage network can improve scalability, manageability, and access to critical data, while substantially reducing the total cost of storage. Additionally, storage networks can simplify the process for enterprises seeking to implement comprehensive disaster recovery programs. However, data in networked storage environments is significantly more vulnerable to unauthorized access, theft, or misuse than data stored in more traditional, direct-attached storage. Aggregated storage is not designed to compartmentalize the data it contains, and data from different departments or divisions becomes co-mingled in the network. Data backup, off-site mirroring, and other disaster recovery techniques increase the risk of unauthorized access from people both inside and outside the enterprise. Partner access through firewalls and other legitimate business needs also create undesirable security risks. With storage networks, a single security breach can threaten the data assets of an entire organization.
Technologies such as firewalls, Intrusion Detection Systems (IDS), and Virtual Private Networks (VPN) seek to secure data assets by protecting the perimeter of the network. While important in their own right, these targeted approaches do not adequately secure storage. Consequently, they leave data within the network itself dangerously open to both internal and external attacks. Once these barriers are breached, e.g. via stolen passwords, uncaught viruses, or simple misconfiguration, data assets are fully exposed.
It is known to secure networked storage by protecting data both in transit and stored on disk. The Decru DataFort™ product (Decru, Redwood City, Calif.; see FIG. 1) is an example of an encryption appliance, referred to as a storage security appliance, that fits transparently into NAS, SAN, and other environments, securely encrypting and decrypting data at wire-speed. Because such devices are built specifically to secure data storage, storage security appliances combine high-performance hardware with comprehensive key management, thus creating a powerful, yet manageable security solution. Storage security appliances are typically application-independent, vendor-agnostic, and fit seamlessly into the existing network infrastructure. With a secure storage security appliance enterprises can fully leverage the benefits of networked storage, confident that their data assets are secure.
Typical storage security appliances use secure storage compartments in the storage security appliance to compartmentalize data within a storage device, so users from one workgroup cannot access data belonging to another unless explicitly authorized to do so. Data in each secure storage compartment can be encrypted using a different key, thus providing for separation.
In connection with this feature of a storage security appliance, it would be advantageous if users could see the encryption and permission relationships between hosts and storage in one view.
It would be further advantageous if a user tool were available that enabled users to manage secure storage compartments (encryption/key relationship) easily and access permissions between them.
It would also be advantageous if a user tool were provided that helped users find missing relationships/permissions easily when troubleshooting a host's missing storage after a storage security appliance is installed.
It would also be advantageous to provide a user tool that could overlay cross mapping/relationship information on top of a topology view, thereby making it easy for a user to see missing or extraneous relationships between hosts and storage.